Re: [Ocf-linux-users] openssl-0.9.8g.patch codechange

SourceForge Headquarters 1320 Columbia Street Suite 310 San Diego, CA 92101 +1 (858) 422-6466

Jivin Kennedy, Brendan lays it down ...
> Hi Dave,All,
> 
> It was seen that RSA cert gen fails when using cryptodev through openssl-0.9.8g patched with the OCF 20080917 openssl patch:
> 
> /usr/local/ssl_0.9.8g/bin/openssl req -new -sha1 -x509 -days 365 -newkey rsa:1024 -nodes -keyout server.key -out server.crt -subj '/CN=Test-Only-Certificate'
> Generating a 1024 bit RSA private key
> ..........++++++
> ...........++++++
> writing new private key to 'server.key'
> -----
> 25900:error:0606B06E:digital envelope routines:EVP_SignFinal:wrong public key type:p_sign.c:103:
> 25900:error:0D0C3006:asn1 encoding routines:ASN1_item_sign:EVP lib:a_sign.c:276:

Hmm,  I just ran this on the safenet driver and it appeared to work.  I say
appeared as I needed to dummy up an openssl.cnf and perhaps some settings
are different.

openssl most certainly used the safenet driver for some of the work, but
perhaps not as much as the ep80579 you are using.

I noticed it does no OCF calls during the printing of '.'s and does fail
a few session creations,  so it's highly likely the same code paths are not
being used.

> However with the attached patch, it works fine. I was wondering if, to
> your knowledge this impacts any non RSA functionality, or breaks anything
> (it doesn't seem to, but I haven't been able to test everything and it
> looks like it has the potential to break some other PKE function since
> it selects RSA PKE method specifically).

I have no idea.  Do you know why this fixes the problem ?
I don't understand how EVP_PKEY_NULL_method could be right, nor how
EVP_PKEY_RSA_method could be wrong or vice-versa :-)

All in all the PK support in OCF has very little use so it doesn't surprise
me if changes are needed, just need to be fairly sure its a step in the
right direction ;-)

This code only seems to be active when configured with
--with-cryptodev-digests.  Almost no one uses this setting as it is almost
certainly slower than doing the digest in SW.

This no doubt explains why I don't see the error as I don't run with
--with-cryptodev-digests :-)

Perhaps you can work out what is different between running with
--with-cryptodev-digests and without it,  might show up the real problem
with the MD5/SHA bits ?

Cheers,
Davidm

> --- eng_cryptodev.c.orig        2009-05-20 17:12:03.000000000 +0100
> +++ eng_cryptodev.c     2009-05-20 17:12:27.000000000 +0100
> @@ -852,7 +852,7 @@ const EVP_MD cryptodev_sha1 = {
>         cryptodev_digest_final,
>         cryptodev_digest_copy,
>         cryptodev_digest_cleanup,
> -       EVP_PKEY_NULL_method,
> +       EVP_PKEY_RSA_method,
>         SHA_CBLOCK,
>         sizeof(struct dev_crypto_state),
>  };

-- 
David McCullough,  dav...@se...,  Ph:+61 734352815
McAfee - SnapGear  http://www.snapgear.com                http://www.uCdot.org